Reputation: 1563
Authorization_RequestDenied: Insufficient privileges to complete the operation." error with app, only on thirdparty AD
I am trying to search for users in my own and a third party Azure Active Directoriy via the application access flow. I use the following to get a valid token.
string authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}", "<AD>.onmicrosoft.com");
AuthenticationContext authContext = new AuthenticationContext(authority);
ClientCredential clientCredential = new ClientCredential(<clientId>, <appKey>);
AuthenticationResult result = await authContext.AcquireTokenAsync("https://graph.windows.net" , clientCredential);
string TokenForApplication = result.AccessToken;
I use this method to search for users with a given name.
public async Task<List<IUser>> UsersSearch(IActiveDirectoryClient client, string searchString)
{
List<IUser> usersList = null;
IPagedCollection<IUser> searchResults = null;
IUserCollection userCollection = client.Users;
searchResults = await userCollection.Where(user =>
user.UserPrincipalName.StartsWith(searchString) ||
user.GivenName.StartsWith(searchString)).Take(10).ExecuteAsync();
usersList = searchResults.CurrentPage.ToList();
return usersList;
}
This all works fine on the Azure AD where I first setup the app.
But when when I try to use the app in another Azure Active directory I get the error: Authorization_RequestDenied: Insufficient privileges to complete the operation."
In my original Azure AD I have set all the permissions I need for the app to access the graph API and search for users:
In the third party Azure AD I have gone through the Admin flow and granted the app all the needed permissions:
As far as I can see I get a valid token to each Azure AD, but I keep getting the same error whenever I try to access the third party Azure AD.
The way I change what AD I am trying to access is by changing <AD> in
string authority = string.Format(CultureInfo.InvariantCulture, "https://login.microsoftonline.com/{0}", "<AD>.onmicrosoft.com");
I keep everything else the same.
Upvotes: 0
Views: 2169
Answers (1)
Reputation: 27538
From your screenshot , the selected permissions is for Microsoft Graph API(https://graph.microsoft.com) , but according to your code , you are acquiring token for Azure AD Graph api(https://graph.windows.net) .
If you want to use Azure AD Graph api , you should add permissions for Windows Azure Active Directory in Required permissions blade of your multi-tenant app , and do admin consent in other AAD .
if you want to use Microsoft Graph API , you should modify your code , use https://graph.microsoft.com instead of https://graph.windows.net .
Upvotes: 2
Related Questions
- Graph API - Insufficient privileges to complete the operation
- Azure Active Directory appRoleAssignments "Permission being assigned was not found on application"
- While creating an application using Microsoft Graph - Insufficient privileges to complete the operation
- Trying to get an app permission for User creation of Graph api in azure active directory ,but failed in getting permissions
- Authorization_RequestDenied. Insufficient privileges to complete the operation. Graph API
- Azure AAD and Graph API: Insufficient privileges to complete the operation
- ADAL insufficient privileges to complete the operation
- Insufficient Privileges When Creating AAD App via Graph
- Microsoft Graph API: Insufficient privileges to complete the operation
- Call Microsoft Graph API - App only unauthorized error